RE: Strange "shotgun" scan

From: Larry Thompson (lthompson999at_private)
Date: Thu May 09 2002 - 14:40:05 PDT

Next message: pbsarnacat_private: "Strange TCP headers"

Previous message: McCammon, Keith: "RE: Strange "shotgun" scan"
In reply to: Ken Hodges: "Strange "shotgun" scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like it could be a SYN Land attack. There are plenty of "scripts" out
there to run this kind of attack. Report the abuse.

-----Original Message-----
From: Ken Hodges [mailto:khodgesat_private]
Sent: Thursday, May 09, 2002 1:30 PM
To: incidentsat_private
Subject: Strange "shotgun" scan






Has anyone seen this type of scan before? I received close

to 10K scans during a 15 minute period. It appears that the

person was scanning totally random ports on all of my IP

range. Just curious if it is some known program, or if

anyone has seen this before.



Thanks.

Ken.

May  8 18:56:26 24.165.73.85:2070 -> 206.40.XXX.XXA:394 SYN

12****S*

May  8 18:56:26 24.165.73.85:2071 -> 206.40.XXX.XXA:478 SYN

12****S*

May  8 18:56:26 24.165.73.85:2072 -> 206.40.XXX.XXA:770 SYN

12****S*

May  8 18:56:26 24.165.73.85:2073 -> 206.40.XXX.XXA:350 SYN

12****S*

May  8 18:56:26 24.165.73.85:2074 -> 206.40.XXX.XXA:126 SYN

12****S*

May  8 18:56:26 24.165.73.85:2075 -> 206.40.XXX.XXA:3462

SYN 12****S*

May  8 18:56:26 24.165.73.85:2076 -> 206.40.XXX.XXA:1003

SYN 12****S*

May  8 18:56:26 24.165.73.85:2077 -> 206.40.XXX.XXA:1546

SYN 12****S*

May  8 18:56:26 24.165.73.85:2078 -> 206.40.XXX.XXA:980 SYN

12****S*

May  8 18:56:26 24.165.73.85:2079 -> 206.40.XXX.XXA:680 SYN

12****S*

May  8 18:56:27 24.165.73.85:2100 -> 206.40.XXX.XXA:819 SYN

12****S*

May  8 18:56:27 24.165.73.85:2101 -> 206.40.XXX.XXA:749 SYN

12****S*

May  8 18:56:27 24.165.73.85:2102 -> 206.40.XXX.XXA:727 SYN

12****S*

May  8 18:56:27 24.165.73.85:2103 -> 206.40.XXX.XXA:412 SYN

12****S*

May  8 18:56:27 24.165.73.85:2104 -> 206.40.XXX.XXA:5432

SYN 12****S*

May  8 18:56:27 24.165.73.85:2105 -> 206.40.XXX.XXA:554 SYN

12****S*

May  8 18:56:27 24.165.73.85:2106 -> 206.40.XXX.XXA:1989

SYN 12****S*

May  8 18:56:27 24.165.73.85:2107 -> 206.40.XXX.XXA:460 SYN

12****S*

May  8 18:56:27 24.165.73.85:2108 -> 206.40.XXX.XXA:696 SYN

12****S*

May  8 18:56:27 24.165.73.85:2109 -> 206.40.XXX.XXA:1998

SYN 12****S*

May  8 18:56:28 24.165.73.85:2130 -> 206.40.XXX.XXA:867 SYN

12****S*

May  8 18:56:28 24.165.73.85:2131 -> 206.40.XXX.XXA:776 SYN

12****S*

May  8 18:56:28 24.165.73.85:2132 -> 206.40.XXX.XXA:799 SYN

12****S*

May  8 18:56:28 24.165.73.85:2133 -> 206.40.XXX.XXA:1419

SYN 12****S*

May  8 18:56:28 24.165.73.85:2134 -> 206.40.XXX.XXA:970 SYN

12****S*

May  8 18:56:28 24.165.73.85:2135 -> 206.40.XXX.XXA:20 SYN

12****S*

May  8 18:56:28 24.165.73.85:2136 -> 206.40.XXX.XXA:67 SYN

12****S*



And it goes on and on....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: pbsarnacat_private: "Strange TCP headers"
Previous message: McCammon, Keith: "RE: Strange "shotgun" scan"
In reply to: Ken Hodges: "Strange "shotgun" scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 09 2002 - 15:14:39 PDT